Monitoring a media access control security session

ABSTRACT

A device may determine that a first link of the device is active. The device may determine whether a Media Access Control Security (MACsec) session is established on the first link. The device may selectively enable or disable a second link of the device based on determining whether the MACsec session is established on the first link.

RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.16/506,544, filed Jul. 9, 2019 (now U.S. Pat. No. 11,323,437), which isincorporated herein by reference in its entirety.

BACKGROUND

Media Access Control Security (MACsec) provides secure communication fortraffic on physical links, such as Ethernet links. MACsec providespoint-to-point security on links between directly connected devices.Moreover, a device may employ link failure detection on an uplinkinterface and propagate a detected failure to a downlink interface sothat other devices connected to the downlink interface can switch to asecondary interface to maintain a flow of traffic.

SUMMARY

According to some implementations, a method may include determining, bya device, that a first link of the device is active; determining, by thedevice, whether a Media Access Control Security (MACsec) session isestablished on the first link; and selectively enabling or disabling, bythe device, a second link of the device based on determining whether theMACsec session is established on the first link.

According to some implementations, a device may comprise one or morememories; and one or more processors, communicatively coupled to the oneor more memories, to: determine that a first link between the device andan additional device is active; determine that a MACsec session isestablished on the first link; enable a second link between the deviceand a server device based on determining that the MACsec session isestablished; receive, after enabling the second link, data from theserver device via the second link; and send the data to the additionaldevice via the first link.

According to some implementations, a non-transitory computer-readablemedium may store one or more instructions. The one or more instructions,when executed by one or more processors of a device, may cause the oneor more processors to: determine that a plurality of first links betweenthe device and an additional device are active; determine that a MACsecsession is not established on any first link of the plurality of firstlinks; disable a second link between the device and a server devicebased on determining that a MACsec session is not established on anyfirst link of the plurality of first links; determine, after disablingthe second link, that a MACsec session is established on at least onefirst link of the plurality of first links; enable the second link basedon determining that the MACsec session is established on the at leastone first link; receive, after enabling the second link, data from theserver device via the second link; and send the data to the additionaldevice via the at least one first link.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1F are diagrams of example implementations described herein.

FIG. 2 is a diagram of an example environment in which systems and/ormethods described herein may be implemented.

FIGS. 3A and 3B are diagrams of example components of one or moredevices of FIG. 2 .

FIGS. 4-6 are flow charts of example processes for a monitoring a linkfor establishment of a Media Access Control security (MACsec) session.

DETAILED DESCRIPTION

The following detailed description of example implementations refers tothe accompanying drawings. The same reference numbers in differentdrawings may identify the same or similar elements.

Media Access Control Security (MACsec) provides point-to-point securityon a physical link between two directly connected devices to ensureintegrity of data transmitted between the two devices. Issues arise,however, when a MACsec session fails to be established on a link. Forexample, in some cases, a device, such as a router or switch, mayreceive data that is to be transmitted to an additional device via alink that has a MACsec session established. If a MACsec session is notestablished (or not yet established) on a link between the device andthe additional device, the device may drop the data rather than forwardthe traffic via the link. This is often referred to as trafficblackholing.

Some implementations described herein provide a device that monitors alink for establishment of a MACsec session. In some implementations, thedevice may determine that a first link (or a set of first links) betweenthe device and an additional device is active, and may determine whethera MACsec session is established on the first link (or a set of firstlinks). In some implementations, when the device determines that aMACsec session is not established on the first link (or the set of firstlinks), the device may disable a second link (or a set of second links)between the device and a server device, which prevents the server devicefrom sending data to the device. In some implementations, when thedevice determines that a MACsec session is established on the first link(or the set of first links), the device may enable the second link (orthe set of second links), which allows the server device to send data tothe device. In some implementations, the device may receive, afterenabling the second link (or the set of second links), the data from theserver device via the second link (or the set of second links) and maysend the data to the additional device via the first link (or the set offirst links) (e.g., because a MACsec session is established on the firstlink or the set of first links).

In this way, some implementations described herein prevent trafficblackholing because the device only enables the second link when thedevice determines that a MACsec session is established on the firstlink. Accordingly, the device only receives traffic from the serverdevice via the second link when the device is able to forward thetraffic to the additional device via the first link. Moreover, someimplementations described herein require only the device to performoperations to determine whether a MACsec session is established on thefirst link. This reduces an amount of time and/or resources (e.g.,processing resources, memory resources, power resources, networkingresources, and/or the like) that would otherwise be used by theadditional device to assist in determining whether a MACsec session isestablished on the first link (e.g., by communicating heartbeat signalsvia a MACsec session on the first link).

FIGS. 1A-1F are diagrams of one or more example implementations 100described herein. Example implementation(s) 100 may include a firstdevice (shown in FIGS. 1A-1F as “first device”), a second device (shownin FIGS. 1A-1F as “second device”), a third device (shown in FIG. 1B as“third device”), a fourth device (shown in FIG. 1B as “fourth device”),and/or a server device (shown in FIGS. 1A-1F). The first device, thesecond device, the third device, and/or the fourth device may eachinclude various types of network devices, such as a router, a gateway, aswitch, a bridge, a wireless access point, a base station, a spine, afirewall, and/or the like. The first device, the second device, thethird device, the fourth device, and/or the server device may beincluded in a network, such as a cellular network, a local area network(LAN), a core network, an access network, a wide area network (WAN) suchas the Internet, a cloud network, and/or the like.

As shown in FIG. 1A, a first link may connect the first device to thesecond device. The first link may be a physical link, such as anEthernet link. That is, the link may connect a physical port of thefirst device to a physical port of the second device. The first deviceand the second device may communicate data via the first link.Similarly, as shown in FIG. 1A, a second link may connect the firstdevice to the server device. The second link may be a physical link,such as an Ethernet link, that connects a physical port of the firstdevice to a physical port of the server device. The first device and theserver device may communicate data via the second link.

In some implementations, the first device and/or the second device maybe able to establish a MACsec session on the first link. For example,the first device and the second device may exchange security keys viathe first link and verify the security keys to establish a MACsecsession on the first link. In some implementations, the first deviceand/or the second device may initiate establishment of a MACsec sessionon the first link. Additionally, or alternatively, the first device maycause the second device (e.g., by sending a message to the seconddevice) to initiate establishment of a MACsec session on the first link.In some implementations, the first device and or the second device maytake a particular amount of time (e.g., 10 milliseconds, 100milliseconds, 1 second, and/or the like) to establish a MACsec sessionon the first link (e.g., to exchange and verify security keys).

Additionally, or alternatively, the first device and/or the seconddevice may not be able to establish a MACsec session on the first link.As an example, the first device and/or the second device may not beconfigured to establish a MACsec session. In an additional example, thefirst device and the second device may exchange mismatched security keyswhen attempting to establish a MACsec session on the first link, whichmay prevent the security keys from being verified by the first deviceand/or the second device. As another example, the first device may beconfigured to use a first encryption algorithm and the second device maybe configured to use a second encryption algorithm, which may cause acipher mismatch issue when the first device and the second deviceattempt to establish a MACsec session on the first link.

As shown by reference number 102, the first device may determine thatthe first link is active. That is, the first device may determine that aphysical layer and/or a datalink layer of the first link has an activestatus, that power is being provided to the first link (e.g., the firstlink is powered up), and/or the like. Additionally, or alternatively,the first device may determine that the first link is inactive. That is,the first device may determine that a physical layer and/or a datalinklayer of the first link has an inactive status, that power is not beingprovided to the first link (e.g., the first link is powered down),and/or the like.

In some implementations, the first device may determine whether a MACsecsession is established on the first link (e.g., based on determiningthat the first link is active). For example, the first device maydetermine whether an authentication process associated with the MACsecsession (e.g. exchanging and verifying security keys) was successful.

As shown by reference number 104, the first device may determine that aMACsec session is not established on the first link (e.g., bydetermining that an authentication process associated with the MACsecsession was not successful). The MACsec session may not be establishedon the first link because the MACsec session is in a process of beingestablished on the first link, the first device and/or the second devicemay not be able to establish a MACsec session for the reasons statedherein, and/or the like. In some implementations, the first device maydetermine that a MACsec session is not established on the first linkafter determining that that the first link is active (e.g., as describedherein in relation to reference number 102) and/or determining that aMACsec session was established on the first link (e.g., as describedherein in relation to reference number 112).

As shown by reference number 106, the first device may disable thesecond link (e.g., based on determining that a MACsec session is notestablished on the first link). For example, the first device may causea physical layer and/or a datalink layer of the second link to bedeactivated (e.g., change a status of the physical layer and/or thedatalink layer of the second link to an inactive status). As anotherexample, the first device may cause power to cease being provided to thesecond link (e.g., cause the second link to be powered down).

In some implementations, based on the second link being disabled, theserver device and the first device may not be able to communicate.Accordingly, the server device may send data (e.g., that includes one ormore packets) to a different device (e.g., for routing to a destinationaddress). For example, as shown in FIG. 1B and by reference number 108,the server device may send the data to the third device via a thirdlink. The third link may be a physical link, such as an Ethernet link,that connects a physical port of the server device to a physical port ofthe third device. Further, as shown by reference number 110, the thirddevice may send the data to the fourth device via a fourth link. Thefourth link may be a physical link, such as an Ethernet link, thatconnects a physical port of the third device to a physical port of thefourth device. In this example, a MACsec session may be established onthe fourth link, which enables the third device to send the data to thefourth device via the fourth link. Additionally, or alternatively, thethird device may send the data to the second device via the fourth link,instead of the fourth device. In this way, the data can be transmittedto a destination address (e.g., in this case, the second device) evenwhen the second link is deactivated.

As shown in FIG. 1C and by reference number 112, the first device maydetermine that a MACsec session is established on the first link (e.g.,by determining that an authentication process associated with the MACsecsession was successful). For example, the first device may determinethat the first device and the second device successfully exchanged andverified security keys (e.g., for establishing the MACsec session). Thefirst device may determine that the MACsec session is established on thefirst link based on determining that the first link is active (e.g., asdescribed herein in relation to reference number 102) and/or subsequentto determining that a MACsec session was not established on the firstlink (e.g., as described herein in relation to reference number 104).

Accordingly, as shown by reference number 114, the first device mayenable the second link (e.g., based on determining that a MACsec sessionis established on the first link). For example, the first device maycause a physical layer and/or a datalink layer of the second link to beactivated (e.g., change a status of the physical layer and/or thedatalink layer of the second link to an active status). As anotherexample, the first device may cause power to be provided to the secondlink (e.g., cause the second link to be powered up).

In some implementations, based on the second link being enabled, theserver device and the first device may be able to communicate.Accordingly, as shown in FIG. 1D and by reference number 116, the serverdevice may send data (e.g., that includes one or more packets) to thefirst device (e.g., for routing to a destination address) via the secondlink. Further, as shown by reference number 118, the first device maysend the data to the second device via the first link (e.g., because thefirst link is active and the MACsec session is established on the firstlink).

In some implementations, the first device may process the data beforesending the data to the second device via the first link. That is, thefirst device may cause the data to be formatted for transmission via aMACsec session and may send the formatted data to the second device viathe first link. For example, the first device may cause the data to beencrypted using an encryption algorithm associated with the MACsecsession and may send, after causing the data to be encrypted, the datato the second device via the first link.

In some implementations, the second device may send additional data tothe first device via the first link (e.g., because the first link isactive and a MACsec session is established on the first link).Accordingly, the first device may send the additional data to the serverdevice via the second link (e.g., because the second link is active).

While some implementations described herein concern the first devicebeing connected to the second device via a single link, additionalimplementations are contemplated. As shown in FIG. 1E, a plurality offirst links connect the first device to the second device. Each firstlink of the plurality of first links may be a physical link, such as anEthernet link, that may connect a physical port of the first device to aphysical port of the second device. The first device and/or the seconddevice may or may not be able to establish a respective MACsec sessionon each first link of the plurality of first links in a similar manneras described herein in relation to FIG. 1A.

In some implementations, the first device may determine that one or morefirst links of the plurality of links are active or inactive, in asimilar manner as described herein in relation to FIG. 1A. For example,the first device may determine that a respective physical layer and/or adatalink layer of each first link, of the one or more first links, hasan active status, that power is being provided to each first link (e.g.,each first link is powered up), and/or the like. As another example, thefirst device may determine that a respective physical layer and/or adatalink layer of each first link, of the one or more first links, hasan inactive status, that power is not being provided to each first link(e.g., each first link is powered down), and/or the like.

In some implementations, the first device may determine whether arespective MACsec session is established on one or more of the one ormore first links (e.g., based on determining that the one or more linksare active), in a similar manner as described herein in relation to FIG.1A. In some implementations, the first device may determine that aMACsec session is not established on any first link of the one or morefirst links. For example, the first device may determine, for each firstlink of the one or more first links, that a MACsec authenticationprocess associated with the first link was not successful.

Accordingly, the first device may disable one or more second links thatconnect the first device and the server device (e.g., based ondetermining that a MACsec session is not established on any first linkof the one or more first links), in a similar manner as described hereinin relation to FIG. 1A. For example, the first device may cause aphysical layer and/or a datalink layer of the one or more second linksto be deactivated (e.g., change a status of the physical layer and/orthe datalink layer of the one or more second links to an inactivestatus), cause power to cease being provided to the one or more secondlinks (e.g., cause the one or more second links to be powered down),and/or the like.

In some implementations, as shown by reference number 120, the firstdevice may determine that a MACsec session is established on at leastone first link of the one or more first links, in a similar manner asdescribed herein in relation to FIG. 1C and reference number 112. Forexample, the first device may determine that the first device and thesecond device successfully exchanged and verified security keysassociated with a MACsec session via the at least one first link.

Accordingly, as shown by reference number 122, the first device mayenable the one or more second links (e.g., based on determining that aMACsec session is established on the at least one first link of the oneor more first links). For example, the first device may cause a physicallayer and/or a datalink layer of the one or more seconds link to beactivated (e.g., change a status of the physical layer and/or thedatalink layer of the one or more second links to an active status),cause power to be provided to the one or more second links (e.g., causethe one or more second links to be powered up), and/or the like.

In some implementations, based on the one or more second links beingenabled, the server device may send data (e.g., that includes one ormore packets) to the first device (e.g., for routing to a destinationaddress), in a similar manner as described herein in relation to FIG. 1Dand reference number 116. For example, as shown by reference number 124,the server device may send the data to the first device via the one ormore second links. Further, as shown by reference number 126, the firstdevice may send the data to the second device via the at least one firstlink (e.g., because the at least one first link is active and a MACsecsession is established on the at least one first link), in a similarmanner as described herein in relation to FIG. 1D and reference number118.

In some implementations, the first device may process the data beforesending the data to the second device via the at least one first link,in a similar manner as described herein in relation to FIG. 1D. Forexample, the first device may cause the data to be formatted fortransmission via a MACsec session (e.g., cause the data to be encryptedusing an encryption algorithm associated with the MACsec session) andmay send the formatted data (e.g., the encrypted data) to the seconddevice via the at least one first link.

In some implementations, the second device may send first additionaldata to the first device via the at least one first link (e.g., becausethe at least one first link is active and a MACsec session isestablished on the at least one first link). Accordingly, the firstdevice may send the first additional data to the server device via theone or more second links (e.g., because the one or more second links areactive).

Additionally, or alternatively, the first device may determine (e.g.,after sending the data to the second device via the at least one firstlink and/or sending the first additional data to the server device viathe one or more second links), that a MACsec session is established onat least one additional first link of the one or more first links, insimilar manner as described herein in relation to FIG. 1E. Accordingly,the first device may receive second additional data from the serverdevice via the one or more second links and may send the secondadditional data to the second device via the at least one first linkand/or the at least one additional first link, in a similar manner asdescribed herein in relation to FIG. 1F.

While some implementations described herein describe operations beingperformed in association with the first device, second device, thirddevice, and/or fourth device receiving and/or sending data from or tothe server device, additional implementations contemplate the operationsbeing performed in associating with the first device, second device,third device, and/or fourth device receiving and/or sending data from orto any device (e.g., a fifth device). that includes various types ofnetwork devices, such as a router, a gateway, a switch, a bridge, awireless access point, a base station, a spine, a firewall, and/or thelike.

As indicated above, FIGS. 1A-1F are provided merely as one or moreexamples. Other examples may differ from what is described with regardto FIGS. 1A-1F.

FIG. 2 is a diagram of an example environment 200 in which systemsand/or methods described herein may be implemented. As shown in FIG. 2 ,environment 200 may include device 210, device 220, device 230, device240, and/or server device 250. Devices of environment 200 mayinterconnect via wired connections, wireless connections, or acombination of wired and wireless connections.

Device 210 includes one or more devices capable of receiving, storing,generating, processing, forwarding, and/or transferring information. Forexample, device 210 may include a router, a switch (e.g., a top-of-rack(TOR) switch), a gateway, a firewall device, a modem, a hub, a bridge, anetwork interface controller (NIC), a reverse proxy, a server (e.g., aproxy server), a multiplexer, a security device, an intrusion detectiondevice, a load balancer, or a similar device. In some implementations,device 210 may be a physical device implemented within a housing, suchas a chassis. In some implementations, device 210 may be a virtualdevice implemented by one or more computer devices of a cloud computingenvironment or a data center. In some implementations, device 210 maycommunicate with device 220 via at least one first link and maycommunicate with server device 250 via at least one second link. In someimplementations, device 210 may communicate with device 240 via at leastone additional link. In some implementations, a MACsec session may beestablished on the at least one first link.

Device 220 includes one or more devices capable of receiving, storing,generating, processing, forwarding, and/or transferring information. Forexample, device 220 may include a router, a switch, a gateway, afirewall device, a modem, a hub, a bridge, a network interfacecontroller (NIC), a reverse proxy, a server (e.g., a proxy server), amultiplexer, a security device, an intrusion detection device, a loadbalancer, a spine, or a similar device. In some implementations, device220 may be a physical device implemented within a housing, such as achassis. In some implementations, device 220 may be a virtual deviceimplemented by one or more computer devices of a cloud computingenvironment or a data center. In some implementations, device 220 maycommunicate with device 210 via at least one link and may communicatewith device 230 via at least one additional link. In someimplementations, a MACsec session may be established on the at least onelink.

Device 230 includes one or more devices capable of receiving, storing,generating, processing, forwarding, and/or transferring information. Forexample, device 230 may include a router, a switch (e.g., a top-of-rack(TOR) switch), a gateway, a firewall device, a modem, a hub, a bridge, anetwork interface controller (NIC), a reverse proxy, a server (e.g., aproxy server), a multiplexer, a security device, an intrusion detectiondevice, a load balancer, or a similar device. In some implementations,device 230 may be a physical device implemented within a housing, suchas a chassis. In some implementations, device 230 may be a virtualdevice implemented by one or more computer devices of a cloud computingenvironment or a data center. In some implementations, device 230 maycommunicate with device 240 via at least one first link and maycommunicate with server device 250 via at least one second link. In someimplementations, device 230 may communicate with device 220 via at leastone additional link. In some implementations, a MACsec session may beestablished on the at least one first link.

Device 240 includes one or more devices capable of receiving, storing,generating, processing, forwarding, and/or transferring information. Forexample, device 240 may include a router, a switch, a gateway, afirewall device, a modem, a hub, a bridge, a network interfacecontroller (NIC), a reverse proxy, a server (e.g., a proxy server), amultiplexer, a security device, an intrusion detection device, a loadbalancer, a spine, or a similar device. In some implementations, device240 may be a physical device implemented within a housing, such as achassis. In some implementations, device 240 may be a virtual deviceimplemented by one or more computer devices of a cloud computingenvironment or a data center. In some implementations, device 240 maycommunicate with device 230 via at least one link and may communicatewith device 210 via at least one additional link. In someimplementations, a MACsec session may be established on the at least onelink.

Server device 250 includes one or more devices capable of receiving,generating, storing, processing, and/or providing information, such asinformation described herein. For example, server device 250 may includea laptop computer, a tablet computer, a desktop computer, a server, agroup of servers, or a similar type of device. In some implementations,server device 250 may communicate with device 210 via a first link(e.g., using a first network interface controller (NIC) of the serverdevice 250) and/or may communicate with device 230 via a second link(e.g., using a second NIC of the server device 250).

The number and arrangement of devices and networks shown in FIG. 2 areprovided as one or more examples. In practice, there may be additionaldevices, fewer devices and/or networks, different devices and/ornetworks, or differently arranged devices and/or networks than thoseshown in FIG. 2 . Furthermore, two or more devices shown in FIG. 2 maybe implemented within a single device, or a single device shown in FIG.2 may be implemented as multiple, distributed devices. Additionally, oralternatively, a set of devices (e.g., one or more devices) ofenvironment 200 may perform one or more functions described as beingperformed by another set of devices of environment 200.

FIGS. 3A-3B are diagrams of example components of one or more devices ofFIG. 2 . FIG. 3A is a diagram of example components of a device 300.Device 300 may correspond to device 210, device 220, device 230, device240, server device 250 and/or the like. In some implementations, device210, device 220, device 230, device 240, server device 250 and/or thelike may include one or more devices 300 and/or one or more componentsof device 300. As shown in FIG. 3A, device 300 may include a bus 305, aprocessor 310, a memory 315, a storage component 320, an input component325, an output component 330, and a communication interface 335.

Bus 305 includes a component that permits communication among thecomponents of device 300. Processor 310 is implemented in hardware,firmware, or a combination of hardware and software. Processor 310 takesthe form of a central processing unit (CPU), a graphics processing unit(GPU), an accelerated processing unit (APU), a microprocessor, amicrocontroller, a digital signal processor (DSP), a field-programmablegate array (FPGA), an ASIC, or another type of processing component. Insome implementations, processor 310 includes one or more processorscapable of being programmed to perform a function. Memory 315 includes arandom access memory (RAM), a read only memory (ROM), and/or anothertype of dynamic or static storage device (e.g., a flash memory, amagnetic memory, and/or an optical memory) that stores informationand/or instructions for use by processor 310.

Storage component 320 stores information and/or software related to theoperation and use of device 300. For example, storage component 320 mayinclude a hard disk (e.g., a magnetic disk, an optical disk, amagneto-optic disk, and/or a solid state disk), a compact disc (CD), adigital versatile disc (DVD), a floppy disk, a cartridge, a magnetictape, and/or another type of non-transitory computer-readable medium,along with a corresponding drive.

Input component 325 includes a component that permits device 300 toreceive information, such as via user input (e.g., a touch screendisplay, a keyboard, a keypad, a mouse, a button, a switch, and/or amicrophone). Additionally, or alternatively, input component 325 mayinclude a sensor for sensing information (e.g., a global positioningsystem (GPS) component, an accelerometer, a gyroscope, and/or anactuator). Output component 330 includes a component that providesoutput information from device 300 (e.g., a display, a speaker, and/orone or more light-emitting diodes (LEDs)).

Communication interface 335 includes a transceiver-like component (e.g.,a transceiver and/or a separate receiver and transmitter) that enablesdevice 300 to communicate with other devices, such as via a wiredconnection, a wireless connection, or a combination of wired andwireless connections. Communication interface 335 may permit device 300to receive information from another device and/or provide information toanother device. For example, communication interface 335 may include anEthernet interface, an optical interface, a coaxial interface, aninfrared interface, a radio frequency (RF) interface, a universal serialbus (USB) interface, a Wi-Fi interface, a cellular network interface, orthe like.

Device 300 may perform one or more processes described herein. Device300 may perform these processes based on processor 310 executingsoftware instructions stored by a non-transitory computer-readablemedium, such as memory 315 and/or storage component 320. Acomputer-readable medium is defined herein as a non-transitory memorydevice. A memory device includes memory space within a single physicalstorage device or memory space spread across multiple physical storagedevices.

Software instructions may be read into memory 315 and/or storagecomponent 320 from another computer-readable medium or from anotherdevice via communication interface 335. When executed, softwareinstructions stored in memory 315 and/or storage component 320 may causeprocessor 310 to perform one or more processes described herein.Additionally, or alternatively, hardwired circuitry may be used in placeof or in combination with software instructions to perform one or moreprocesses described herein. Thus, implementations described herein arenot limited to any specific combination of hardware circuitry andsoftware.

The number and arrangement of components shown in FIG. 3A are providedas an example. In practice, device 300 may include additionalcomponents, fewer components, different components, or differentlyarranged components than those shown in FIG. 3A. Additionally, oralternatively, a set of components (e.g., one or more components) ofdevice 300 may perform one or more functions described as beingperformed by another set of components of device 300.

FIG. 3B is a diagram of example components of a device 350. Device 350may correspond to device 210, device 220, device 230, device 240, serverdevice 250 and/or the like. In some implementations, device 210, device220, device 230, device 240, server device 250 and/or the like mayinclude one or more devices 350 and/or one or more components of device350. As shown in FIG. 3B, device 350 may include one or more inputcomponents 355-1 through 355-B (B≥1) (hereinafter referred tocollectively as input components 355, and individually as inputcomponent 355), a switching component 360, one or more output components365-1 through 365-C (C≥1) (hereinafter referred to collectively asoutput components 365, and individually as output component 365), and acontroller 370.

Input component 355 may be points of attachment for physical links andmay be points of entry for incoming traffic, such as packets. Inputcomponent 355 may process incoming traffic, such as by performing datalink layer encapsulation or decapsulation. In some implementations,input component 355 may send and/or receive packets. In someimplementations, input component 355 may include an input line card thatincludes one or more packet processing components (e.g., in the form ofintegrated circuits), such as one or more interface cards (Ficus),packet forwarding components, line card controller components, inputports, processors, memories, and/or input queues. In someimplementations, device 350 may include one or more input components355.

Switching component 360 may interconnect input components 355 withoutput components 365. In some implementations, switching component 360may be implemented via one or more crossbars, via busses, and/or withshared memories. The shared memories may act as temporary buffers tostore packets from input components 355 before the packets areeventually scheduled for delivery to output components 365. In someimplementations, switching component 360 may enable input components355, output components 365, and/or controller 370 to communicate.

Output component 365 may store packets and may schedule packets fortransmission on output physical links. Output component 365 may supportdata link layer encapsulation or decapsulation, and/or a variety ofhigher-level protocols. In some implementations, output component 365may send packets and/or receive packets. In some implementations, outputcomponent 365 may include an output line card that includes one or morepacket processing components (e.g., in the form of integrated circuits),such as one or more IFCs, packet forwarding components, line cardcontroller components, output ports, processors, memories, and/or outputqueues. In some implementations, device 350 may include one or moreoutput components 365. In some implementations, input component 355 andoutput component 365 may be implemented by the same set of components(e.g., and input/output component may be a combination of inputcomponent 355 and output component 365).

Controller 370 includes a processor in the form of, for example, a CPU,a GPU, an APU, a microprocessor, a microcontroller, a DSP, an FPGA, anASIC, and/or another type of processor. The processor is implemented inhardware, firmware, or a combination of hardware and software. In someimplementations, controller 370 may include one or more processors thatcan be programmed to perform a function.

In some implementations, controller 370 may include a RAM, a ROM, and/oranother type of dynamic or static storage device (e.g., a flash memory,a magnetic memory, an optical memory, etc.) that stores informationand/or instructions for use by controller 370.

In some implementations, controller 370 may communicate with otherdevices, networks, and/or systems connected to device 300 to exchangeinformation regarding network topology. Controller 370 may createrouting tables based on the network topology information, createforwarding tables based on the routing tables, and forward theforwarding tables to input components 355 and/or output components 365.Input components 355 and/or output components 365 may use the forwardingtables to perform route lookups for incoming and/or outgoing packets.

Controller 370 may perform one or more processes described herein.Controller 370 may perform these processes in response to executingsoftware instructions stored by a non-transitory computer-readablemedium. A computer-readable medium is defined herein as a non-transitorymemory device. A memory device includes memory space within a singlephysical storage device or memory space spread across multiple physicalstorage devices.

Software instructions may be read into a memory and/or storage componentassociated with controller 370 from another computer-readable medium orfrom another device via a communication interface. When executed,software instructions stored in a memory and/or storage componentassociated with controller 370 may cause controller 370 to perform oneor more processes described herein. Additionally, or alternatively,hardwired circuitry may be used in place of or in combination withsoftware instructions to perform one or more processes described herein.Thus, implementations described herein are not limited to any specificcombination of hardware circuitry and software.

The number and arrangement of components shown in FIG. 3B are providedas an example. In practice, device 350 may include additionalcomponents, fewer components, different components, or differentlyarranged components than those shown in FIG. 3B. Additionally, oralternatively, a set of components (e.g., one or more components) ofdevice 350 may perform one or more functions described as beingperformed by another set of components of device 350.

FIG. 4 is a flowchart of an example process 400 for monitoring a linkfor establishment of a Media Access Control Security (MACsec) session.In some implementations, one or more process blocks of FIG. 4 may beperformed by a first device (e.g., device 210). In some implementations,one or more process blocks of FIG. 4 may be performed by another deviceor a group of devices (e.g., device 220, device 230, device 240, and/orthe like) separate from or including the device.

As shown in FIG. 4 , process 400 may include determining that a firstlink of the device is active (block 410). For example, the device (e.g.,using processor 310, memory 315, storage component 320, input component325, output component 330, communication interface 335, input component355, switching component 360, output component 365, controller 370,and/or the like) may determine that a first link of the device isactive, as described above.

As further shown in FIG. 4 , process 400 may include determining whethera MACsec session is established on the first link (block 420). Forexample, the device (e.g., using processor 310, memory 315, storagecomponent 320, input component 325, output component 330, communicationinterface 335, input component 355, switching component 360, outputcomponent 365, controller 370, and/or the like) may determine whether aMACsec session is established on the first link, as described above.

As further shown in FIG. 4 , process 400 may include selectivelyenabling or disabling a second link of the device based on determiningwhether the MACsec session is established on the first link (block 430).For example, the device (e.g., using processor 310, memory 315, storagecomponent 320, input component 325, output component 330, communicationinterface 335, input component 355, switching component 360, outputcomponent 365, controller 370, and/or the like) may selectively enableor disable a second link of the device based on determining whether theMACsec session is established on the first link, as described above.

Process 400 may include additional implementations, such as any singleimplementation or any combination of implementations described belowand/or in connection with one or more other processes describedelsewhere herein.

In a first implementation, the first link connects the device and arouting device.

In a second implementation, alone or in combination with the firstimplementation, the second link connects the device and a server device.

In a third implementation, alone or in combination with one or more ofthe first and second implementations, the device may receive, afterenabling the second link, data from a server device via the second linkand may send the data to a different device via the first link.

In a fourth implementation, alone or in combination with one or more ofthe first through third implementations, determining whether the MACsecsession is established on the first link comprises determining whetheran authentication process associated with the MACsec session wassuccessful.

In a fifth implementation, alone or in combination with one or more ofthe first through fourth implementations, determining that the firstlink is active comprises determining that a physical layer of the firstlink has an active status.

In a sixth implementation, alone or in combination with one or more ofthe first through fifth implementations, enabling the second linkcomprises causing a physical layer of the second link to be activated.

In a seventh implementation, alone or in combination with one or more ofthe first through sixth implementations, disabling the second linkcomprises causing a physical layer of the second link to be deactivated.

Although FIG. 4 shows example blocks of process 400, in someimplementations, process 400 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 4 . Additionally, or alternatively, two or more of theblocks of process 400 may be performed in parallel.

FIG. 5 is a flowchart of an example process 500 for monitoring a linkfor establishment of a MACsec session. In some implementations, one ormore process blocks of FIG. 5 may be performed by a first device (e.g.,device 210). In some implementations, one or more process blocks of FIG.5 may be performed by another device or a group of devices (e.g., device220, device 230, device 240, and/or the like) separate from or includingthe device.

As shown in FIG. 5 , process 500 may include determining that a firstlink between the device and an additional device is active (block 510).For example, the device (e.g., using processor 310, memory 315, storagecomponent 320, input component 325, output component 330, communicationinterface 335, input component 355, switching component 360, outputcomponent 365, controller 370, and/or the like) may determine that afirst link between the device and an additional device is active, asdescribed above.

As further shown in FIG. 5 , process 500 may include determining that aMACsec session is established on the first link (block 520). Forexample, the device (e.g., using processor 310, memory 315, storagecomponent 320, input component 325, output component 330, communicationinterface 335, input component 355, switching component 360, outputcomponent 365, controller 370, and/or the like) may determine that aMACsec session is established on the first link, as described above.

As further shown in FIG. 5 , process 500 may include enabling a secondlink between the device and a server device based on determining thatthe MACsec session is established (block 530). For example, the device(e.g., using processor 310, memory 315, storage component 320, inputcomponent 325, output component 330, communication interface 335, inputcomponent 355, switching component 360, output component 365, controller370, and/or the like) may enable a second link between the device and aserver device based on determining that the MACsec session isestablished, as described above.

As further shown in FIG. 5 , process 500 may include receiving, afterenabling the second link, data from the server device via the secondlink (block 540). For example, the device (e.g., using processor 310,memory 315, storage component 320, input component 325, output component330, communication interface 335, input component 355, switchingcomponent 360, output component 365, controller 370, and/or the like)may receive, after enabling the second link, data from the server devicevia the second link, as described above.

As further shown in FIG. 5 , process 500 may include sending the data tothe additional device via the first link (block 550). For example, thedevice (e.g., using processor 310, memory 315, storage component 320,input component 325, output component 330, communication interface 335,input component 355, switching component 360, output component 365,controller 370, and/or the like) may send the data to the additionaldevice via the first link, as described above.

Process 500 may include additional implementations, such as any singleimplementation or any combination of implementations described belowand/or in connection with one or more other processes describedelsewhere herein.

In a first implementation, determining that the MACsec session isestablished on the first link comprises determining that the device andthe additional device successfully exchanged and verified security keys.

In a second implementation, alone or in combination with the firstimplementation, determining that the first link is active comprisesdetermining that a physical layer of the first link and a data linklayer of the first link have an active status.

In a third implementation, alone or in combination with one or more ofthe first and second implementations, enabling the second link comprisescausing a physical layer and a data link layer of the second link to beactivated.

In a fourth implementation, alone or in combination with one or more ofthe first through third implementations, sending the data to theadditional device via the first link comprises causing the data to beencrypted using an encryption algorithm associated with the MACsecsession and sending, after causing the data to be encrypted, the data tothe additional device via the first link.

Although FIG. 5 shows example blocks of process 500, in someimplementations, process 500 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 5 . Additionally, or alternatively, two or more of theblocks of process 500 may be performed in parallel.

FIG. 6 is a flow chart of an example process 600 for monitoring a linkfor establishment of a MACsec session. In some implementations, one ormore process blocks of FIG. 6 may be performed by a first device (e.g.,device 210). In some implementations, one or more process blocks of FIG.6 may be performed by another device or a group of devices (e.g., device220, device 230, device 240, and/or the like) separate from or includingthe device.

As shown in FIG. 6 , process 600 may include determining that aplurality of first links between the device and an additional device areactive (block 610). For example, the device (e.g., using processor 310,memory 315, storage component 320, input component 325, output component330, communication interface 335, input component 355, switchingcomponent 360, output component 365, controller 370, and/or the like)may determine that a plurality of first links between the device and anadditional device are active, as described above.

As further shown in FIG. 6 , process 600 may include determining that aMACsec session is not established on any first link of the plurality offirst links (block 620). For example, the device (e.g., using processor310, memory 315, storage component 320, input component 325, outputcomponent 330, communication interface 335, input component 355,switching component 360, output component 365, controller 370, and/orthe like) may determine that a MACsec session is not established on anyfirst link of the plurality of first links, as described above.

As further shown in FIG. 6 , process 600 may include disabling a secondlink between the device and a server device based on determining that aMACsec session is not established on any first link of the plurality offirst links (block 630). For example, the device (e.g., using processor310, memory 315, storage component 320, input component 325, outputcomponent 330, communication interface 335, input component 355,switching component 360, output component 365, controller 370, and/orthe like) may disable a second link between the device and a serverdevice based on determining that a MACsec session is not established onany first link of the plurality of first links, as described above.

As further shown in FIG. 6 , process 600 may include determining, afterdisabling the second link, that a MACsec session is established on atleast one first link of the plurality of first links (block 640). Forexample, the device (e.g., using processor 310, memory 315, storagecomponent 320, input component 325, output component 330, communicationinterface 335, input component 355, switching component 360, outputcomponent 365, controller 370, and/or the like) may determine, afterdisabling the second link, that a MACsec session is established on atleast one first link of the plurality of first links, as describedabove.

As further shown in FIG. 6 , process 600 may include enabling the secondlink based on determining that the MACsec session is established on theat least one first link (block 650). For example, the device (e.g.,using processor 310, memory 315, storage component 320, input component325, output component 330, communication interface 335, input component355, switching component 360, output component 365, controller 370,and/or the like) may enable the second link based on determining thatthe MACsec session is established on the at least one first link, asdescribed above.

As further shown in FIG. 6 , process 600 may include receiving, afterenabling the second link, data from the server device via the secondlink (block 660). For example, the device (e.g., using processor 310,memory 315, storage component 320, input component 325, output component330, communication interface 335, input component 355, switchingcomponent 360, output component 365, controller 370, and/or the like)may receive, after enabling the second link, data from the server devicevia the second link, as described above.

As further shown in FIG. 6 , process 600 may include sending the data tothe additional device via the at least one first link (block 670). Forexample, the device (e.g., using processor 310, memory 315, storagecomponent 320, input component 325, output component 330, communicationinterface 335, input component 355, switching component 360, outputcomponent 365, controller 370, and/or the like) may send the data to theadditional device via the at least one first link, as described above.

Process 600 may include additional implementations, such as any singleimplementation or any combination of implementations described belowand/or in connection with one or more other processes describedelsewhere herein.

In a first implementation, determining that a MACsec session is notestablished on any first link of the plurality of first links comprisesdetermining, for each first link of the plurality of first links, that aMACsec authentication process associated with the first link was notsuccessful.

In a second implementation, alone or in combination with the firstimplementation, disabling the second link comprises causing power tocease being provided to the second link.

In a third implementation, alone or in combination with one or more ofthe first and second implementations, disabling the second linkcomprises causing power to be provided to the second link.

In a fourth implementation, alone or in combination with one or more ofthe first through third implementations, sending the data to theadditional device via the at least one first link comprises causing thedata to be formatted for transmission via a MACsec session and sendingthe formatted data to the additional device via the at least one firstlink.

In a fifth implementation, alone or in combination with one or more ofthe first through fourth implementations, the device may receive, afterenabling the second link, additional data from the additional device viathe at least one first link and may send the additional data to theserver device via the second link.

In a sixth implementation, alone or in combination with one or more ofthe first through fifth implementations, the device may determine, afterenabling the second link, that a MACsec session is established on atleast one additional first link of the plurality of first links, mayreceive additional data from the server device via the second link, andmay send the additional data to the additional device via the at leastone first link or the at least one additional first link.

Although FIG. 6 shows example blocks of process 600, in someimplementations, process 600 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 6 . Additionally, or alternatively, two or more of theblocks of process 600 may be performed in parallel.

The foregoing disclosure provides illustration and description, but isnot intended to be exhaustive or to limit the implementations to theprecise forms disclosed. Modifications and variations may be made inlight of the above disclosure or may be acquired from practice of theimplementations.

As used herein, the term “component” is intended to be broadly construedas hardware, firmware, and/or a combination of hardware and software.

As used herein, the term traffic or content may include a set ofpackets. A packet may refer to a communication structure forcommunicating information, such as a protocol data unit (PDU), a networkpacket, a datagram, a segment, a message, a block, a cell, a frame, asubframe, a slot, a symbol, a portion of any of the above, and/oranother type of formatted or unformatted unit of data capable of beingtransmitted via a network.

It will be apparent that systems and/or methods described herein may beimplemented in different forms of hardware, firmware, or a combinationof hardware and software. The actual specialized control hardware orsoftware code used to implement these systems and/or methods is notlimiting of the implementations. Thus, the operation and behavior of thesystems and/or methods are described herein without reference tospecific software code—it being understood that software and hardwarecan be designed to implement the systems and/or methods based on thedescription herein.

Even though particular combinations of features are recited in theclaims and/or disclosed in the specification, these combinations are notintended to limit the disclosure of various implementations. In fact,many of these features may be combined in ways not specifically recitedin the claims and/or disclosed in the specification. Although eachdependent claim listed below may directly depend on only one claim, thedisclosure of various implementations includes each dependent claim incombination with every other claim in the claim set.

No element, act, or instruction used herein should be construed ascritical or essential unless explicitly described as such. Also, as usedherein, the articles “a” and “an” are intended to include one or moreitems, and may be used interchangeably with “one or more.” Further, asused herein, the article “the” is intended to include one or more itemsreferenced in connection with the article “the” and may be usedinterchangeably with “the one or more.” Furthermore, as used herein, theterm “set” is intended to include one or more items (e.g., relateditems, unrelated items, a combination of related and unrelated items,etc.), and may be used interchangeably with “one or more.” Where onlyone item is intended, the phrase “only one” or similar language is used.Also, as used herein, the terms “has,” “have,” “having,” or the like areintended to be open-ended terms. Further, the phrase “based on” isintended to mean “based, at least in part, on” unless explicitly statedotherwise. Also, as used herein, the term “or” is intended to beinclusive when used in a series and may be used interchangeably with“and/or,” unless explicitly stated otherwise (e.g., if used incombination with “either” or “only one of”).

What is claimed is:
 1. A non-transitory computer-readable medium storinginstructions, the instructions comprising: one or more instructionsthat, when executed by one or more processors of a device, cause the oneor more processors to: disable a first link between a server device andthe device based on determining that a Media Access Control Security(MACsec) session is not established on a second link between the deviceand a different device; determine, after disabling the first link, thatthe MACsec session is established on the second link; enable the firstlink based on determining that the MACsec session is established on thesecond link; and send, after enabling the second link, data to thedifferent device via the second link.
 2. The non-transitorycomputer-readable medium of claim 1, wherein the one or moreinstructions further cause the one or more processors to: determine thata physical layer of the first link is active.
 3. The non-transitorycomputer-readable medium of claim 1, wherein the one or moreinstructions further cause the one or more processors to: determine thata datalink layer of the first link is active.
 4. The non-transitorycomputer-readable medium of claim 1, wherein the one or moreinstructions further cause the one or more processors to: receive thedata from the server device via the first link; process the data; andwherein the one or more instructions that cause the one or moreprocessors to send the data to the different device via the second link,cause the one or more processors to: send the data to the differentdevice after the data is processed.
 5. The non-transitorycomputer-readable medium of claim 1, wherein the one or moreinstructions further cause the one or more processors to: receive thedata from the server device via the first link; cause the data to beencrypted using an encryption algorithm associated with the MACsecsession; and wherein the one or more instructions that cause the one ormore processors to send the data to the different device via the secondlink, cause the one or more processors to: send the data to thedifferent device after the data is encrypted.
 6. The non-transitorycomputer-readable medium of claim 1, wherein the second link is anEthernet link that connects a physical port of the device to a physicalport of the different device.
 7. The non-transitory computer-readablemedium of claim 1, wherein the MACsec session is not established on thesecond link between the device and the different device because anauthentication process associated with the second link was notsuccessful.
 8. A device, comprising: one or more memories; and one ormore processors to: disable a first link between the device and anotherdevice based on determining that a Media Access Control Security(MACsec) session is not established on a second link between the deviceand a different device; determine, after disabling the first link, thatthe MACsec session is established on the second link; enable the firstlink based on determining that the MACsec session is established on thesecond link; and send, after enabling the second link, data to thedifferent device via the second link.
 9. The device of claim 8, whereinthe one or more processors are further to: determine that a physicallayer of the first link is active.
 10. The device of claim 8, whereinthe one or more processors are further to: determine that a datalinklayer of the first link is active.
 11. The device of claim 8, whereinthe one or more processors, to determine that the MACsec session isestablished on the second link, are to: determine that the device andthe different device successfully exchanged and verified security keys.12. The device of claim 8, wherein the one or more processors, todisable the first link, are to: de-active the first link by changing astatus of either a physical layer or a datalink layer of the first linkto inactive.
 13. The device of claim 8, wherein the one or moreprocessors are further to: cause power to cease to be provided to thefirst link.
 14. The device of claim 8, wherein the one or moreprocessors, to determine that the MACsec session is established on thesecond link, are to: determine that the MACsec session is established onthe second link based on determining that an authentication processassociated with the MACsec session was successful.
 15. A methodcomprising: disabling, by a device, a first link based on determiningthat a Media Access Control Security (MACsec) session is not establishedon a second link between the device and a different device; determining,by the device and after disabling the first link, that the MACsecsession is established on the second link; enabling, by the device, thefirst link based on determining that the MACsec session is establishedon the second link; and sending, by the device, after enabling thesecond link, data to the different device via the second link.
 16. Themethod of claim 15, wherein disabling the first link comprises:de-activating the first link by changing a status of either a physicallayer or a datalink layer of the first link to inactive.
 17. The methodof claim 15, wherein the first link is between the device and a serverdevice.
 18. The method of claim 15, further comprising: determining thata physical layer of the first link is active.
 19. The method of claim15, further comprising: determining that a datalink layer of the firstlink is active.
 20. The method of claim 15, further comprising:receiving the data from a server device via the first link; causing thedata to be encrypted using an encryption algorithm associated with theMACsec session; and wherein sending the data to the different device viathe second link comprises: sending the data to the different deviceafter the data is encrypted.